Generally, in interne banking, emailing, or data communication including secret information, various spyware or hacking programs intercept data input through an input device such as a keyboard, and transmit the data to a predetermined email address or a web server in order to drain privacy information or top secret information, etc.
In order to fundamentally block these ill-intentioned programs from being used, security systems and methods related to keyboard security have been researched.
There are two types of keyboards, that is, a PS/2 type and a USB type. In the PS/2 type, physical electrical signals created by operations of a keyboard are transmitted to an operating system, and corresponding interrupt routines are separately processed by queues (first in, first out; FIFO), respectively.
Further, the USB type keyboard is manufactured to exchange messages with an operating system, where packets including multiple data flow between a main body of a computer and peripheral devices in place of simple electrical signals.
FIG. 1 shows a processing path of keyboard data from a general USB keyboard. Here, the keyboard data input from the keyboard passes through a driver layer provided with a universal serial bus (USB) driver 10, a USB hub driver 20, USBCCGP, an HID USB driver 30, a KBD (Keyboard) HID driver 40, and a KBD CLASS driver 50.
Recent USB keyboard security products or malicious keyloggers are using various methods ranging from a filtering-and-hooking method for a layer of the KBD CLASS driver 50 to a filtering-and-hooking method for the HID USB driver 30.
There are an upper filter driver 35 and a lower filter driver 33 provided at both sides of the HID USB driver 30, which protect the keyboard or perform keylogging.
Recently, an HID USB keyboard security product performing hooking for a layer of the USB hub driver 20 has been introduced, and most HID USB keyboard security products and malicious keyloggers use the same technology, which is filtering and hooking, for the layer of the HID USB driver 30, so that interference and collision between security products occurs frequently.
Therefore, since the method of hooking or filtering for the layer of the HID USB driver 30, or hooking or filtering for the layer of the USB hub driver 20, reaches the limits of protection for the USB keyboard data, important information input from a user, that is, the USB keyboard data, cannot be further safely protected.